According to Google News, BP's laptop loss has produced nearly 1,500 articles. It has also prompted security professionals to comment on the case. If you'll recall, BP lost a laptop that did not make use of laptop encryption software, affecting 13,000 gulf coast residents awaiting compensation. Networkworld.com compares the breach to other breaches, and has quoted several security experts on the issue. Avivah Litan, from Gartner, says "There really is no excuse for not encrypting laptops... Enterprises that are not putting in laptop encryption are just being lazy." Pete Lindstrom with Spire Security: "I think laptop encryption is one of the few slam-dunks in security for any company of reasonable size because the risks are fairly well known and the solutions are mature." Darren Shimkus with Credant: It's surprising that even companies the size of BP don't encrypt their laptops as a matter of course these days. Also, I ran across a stat that I had never seen before: There are federal agencies that report 100% compliance when it comes to encryption software installation, but "the government-wide average is still just more than 54%."
According to Google News, BP's laptop loss has produced nearly 1,500 articles. It has also prompted security professionals to comment on the case. If you'll recall, BP lost a laptop that did not make use of laptop encryption software, affecting 13,000 gulf coast residents awaiting compensation.
Networkworld.com compares the breach to other breaches, and has quoted several security experts on the issue.
Also, I ran across a stat that I had never seen before: There are federal agencies that report 100% compliance when it comes to encryption software installation, but "the government-wide average is still just more than 54%."
It really isn't. But laptop encryption comes pretty close to being a slam dunk. There are ways to get around laptop encryption, certainly: Instead of attacking the encryption, the weakness of passwords is targeted (brute-force cracking, i.e., trying as many passwords as possible) The evil maid (or janitor) attack Cold boot attacks The "problem" with the above encryption runarounds is that they're still pretty hard to carry out (a good thing if you're interested in protecting, not hacking into, data). For example, cold boot attacks can be avoided by ensuring that you always turn off your computer after using it, as opposed to having it go into hibernation or sleep mode. Defending against evil maid attacks is possible in some instances, such as when a laptop is stolen only to be returned. In that case, a full diagnostic is run before the laptop is returned back to the user. Password guessing can be stopped by either setting limits (no passwords less than 8 characters in length, for example) or by using rate limiting tools (after the fourth wrong guess, subsequent wrong guesses are delayed by increasing periods of time. After the tenth wrong guess, the whole thing is blown up so that entering the correct password still doesn't give access to the protected content). Like I said, laptop encryption is not a slam dunk: there are limits to what it can do. However, as you can see from the above, it's as close as it comes to being one.
It really isn't. But laptop encryption comes pretty close to being a slam dunk. There are ways to get around laptop encryption, certainly:
The "problem" with the above encryption runarounds is that they're still pretty hard to carry out (a good thing if you're interested in protecting, not hacking into, data). For example, cold boot attacks can be avoided by ensuring that you always turn off your computer after using it, as opposed to having it go into hibernation or sleep mode.
Defending against evil maid attacks is possible in some instances, such as when a laptop is stolen only to be returned. In that case, a full diagnostic is run before the laptop is returned back to the user.
Password guessing can be stopped by either setting limits (no passwords less than 8 characters in length, for example) or by using rate limiting tools (after the fourth wrong guess, subsequent wrong guesses are delayed by increasing periods of time. After the tenth wrong guess, the whole thing is blown up so that entering the correct password still doesn't give access to the protected content).
Like I said, laptop encryption is not a slam dunk: there are limits to what it can do. However, as you can see from the above, it's as close as it comes to being one.
Related Articles and Sites:http://www.networkworld.com/news/2011/033111-failure-to-encrypt-portable-devices.html
The theft of a desktop computer from NYU Langone Medical Center has resulted in the breach of information for 670 people. It's not mentioned what types of data security tools -- for example, hard drive encryption software like AlertBoot -- were used to protect the data. A suspect has been arrested.
The theft was noticed on January 27. The desktop computer was stolen from a research office in the fifth floor at NYU Langone, and recreating the contents of the stolen device showed that correspondence with patients was stored on it. (Oddly enough, it's mentioned that the "encrypted network back-up files" were used in the reconstitution process, but it's not mentioned whether desktop computer encryption was used on the missing computer). 653 letters included patient names, diagnoses, test results, and clinical information. Another 26 letters included medical record numbers, home addresses, dates of birth, and patient occupation. Two of these letters contained SSNs. A total of 670 letters were found on the backups (there's some overlap going on, obviously). While a suspect is under custody, the computer has not been recovered.
The theft was noticed on January 27. The desktop computer was stolen from a research office in the fifth floor at NYU Langone, and recreating the contents of the stolen device showed that correspondence with patients was stored on it. (Oddly enough, it's mentioned that the "encrypted network back-up files" were used in the reconstitution process, but it's not mentioned whether desktop computer encryption was used on the missing computer).
653 letters included patient names, diagnoses, test results, and clinical information. Another 26 letters included medical record numbers, home addresses, dates of birth, and patient occupation. Two of these letters contained SSNs. A total of 670 letters were found on the backups (there's some overlap going on, obviously).
While a suspect is under custody, the computer has not been recovered.
The disclosure by NYU Langone Medical Center is a very forthcoming one. In fact, the admin at phiprivacy.net praised it, something that hasn't happened often for as long as I've been following the site. But, I have to wonder if it's really as forthcoming as it appears. Why was the presence or absence of encryption software on the computer not mentioned? Is it implied that, because they had "encrypted network back-up files," that the desktop computer was also encrypted? If so, is the implication valid? Or is it a PR sleight-of-hand that leads us to believe such an implication when that was not the case? (And, what exactly does "encrypted network back-up files" mean? Are the files encrypted, and NYU was making use of a network for remote backups, or was the network itself encrypted and backup files were shot through them, or what?) Generally, organizations that have used proper encryption to secure sensitive files tend to mention it. And why not? It's one of the few solutions that are so successful in the data security arena that it leads people to believe that it's a cure-all (it isn't. But it's very good). I think that NYU's 670 patients would very much appreciate it if the medical center would confirm the presence of data security software on the as-of-yet missing computer.
The disclosure by NYU Langone Medical Center is a very forthcoming one. In fact, the admin at phiprivacy.net praised it, something that hasn't happened often for as long as I've been following the site.
But, I have to wonder if it's really as forthcoming as it appears. Why was the presence or absence of encryption software on the computer not mentioned? Is it implied that, because they had "encrypted network back-up files," that the desktop computer was also encrypted? If so, is the implication valid? Or is it a PR sleight-of-hand that leads us to believe such an implication when that was not the case?
(And, what exactly does "encrypted network back-up files" mean? Are the files encrypted, and NYU was making use of a network for remote backups, or was the network itself encrypted and backup files were shot through them, or what?)
Generally, organizations that have used proper encryption to secure sensitive files tend to mention it. And why not? It's one of the few solutions that are so successful in the data security arena that it leads people to believe that it's a cure-all (it isn't. But it's very good).
I think that NYU's 670 patients would very much appreciate it if the medical center would confirm the presence of data security software on the as-of-yet missing computer.
Related Articles and Sites:https://www.med.nyu.edu/patients-visitors/about-us/data-breach-notificationhttp://www.phiprivacy.net/?p=6352
The other day I was remarking how encryption is powerful stuff, and pointed towards a problem that was pestering the FBI's crypto guys for twenty years. Yes, encryption like AlertBoot software can ensure that secrets remain exactly that, a secret. Then there are the non-believers such as Rajib Karim, better known in the UK as the Bangladeshi that plotted a terrorist attack from the confines of British Airways's IT department. According to reports, Karim used a single-letter substitution cipher to encode messages and, ...rejected the use of a sophisticated code program called "Mujhaddin Secrets", which implements all the AES candidate cyphers, "because 'kaffirs', or non-believers, know about it so it must be less secure". [theregister.co.uk] AES is, if you're not aware, one of the best encryption algorithms out there. It's been cleared for use by the US government to guard its secrets, and its 256-bit version is used in powering AlertBoot endpoint encryption software for laptops. Several weaknesses have been found, but nothing that would merit scrapping its use (and it's not because there's nothing of equal strength out there; it's just that the weaknesses are hard to implement successfully, and as I understand it, theoretical at this point).
The other day I was remarking how encryption is powerful stuff, and pointed towards a problem that was pestering the FBI's crypto guys for twenty years. Yes, encryption like AlertBoot software can ensure that secrets remain exactly that, a secret.
Then there are the non-believers such as Rajib Karim, better known in the UK as the Bangladeshi that plotted a terrorist attack from the confines of British Airways's IT department. According to reports, Karim used a single-letter substitution cipher to encode messages and,
...rejected the use of a sophisticated code program called "Mujhaddin Secrets", which implements all the AES candidate cyphers, "because 'kaffirs', or non-believers, know about it so it must be less secure". [theregister.co.uk]
AES is, if you're not aware, one of the best encryption algorithms out there. It's been cleared for use by the US government to guard its secrets, and its 256-bit version is used in powering AlertBoot endpoint encryption software for laptops. Several weaknesses have been found, but nothing that would merit scrapping its use (and it's not because there's nothing of equal strength out there; it's just that the weaknesses are hard to implement successfully, and as I understand it, theoretical at this point).
Karim was right in noticing that kaffirs know about AES. Heck, kaffirs and non-kaffirs not only know about it, they know how it works: the algorithm is open for inspection by all. The strength of it lies in the fact that the encryption key, a random string of letters, numbers, and other characters, is kept secret by the person who creates it. That's why AES and other modern encryption are considered to be so powerful: you can't crack it even if you know how it works!
Karim, instead of putting in his chips with AES, decided to create his own crypto solution: an Excel spreadsheet that was a base for creating a single letter substitution cipher, more commonly known as a Caesar cipher. As you can tell from the name, it was used by the Roman general. The cipher is pretty simple. Letters are shifted a set number of places. So, for example, if "A" is equal to "M," then "B" is equal to "N," "C" is equal to "O," and so on and so forth. So, the word "cab" would end up reading "omn." Of course, Karim didn't just a single iteration; instead, it looks like he may have used five iterations, where the a word is shifted, then the result is shifted, which is also shifted, etc. five times. The problem with the above approach to encrypting data is that modern computers can be used to crack the problem in a very efficient manner. (That's why modern encryption was created.)
Karim, instead of putting in his chips with AES, decided to create his own crypto solution: an Excel spreadsheet that was a base for creating a single letter substitution cipher, more commonly known as a Caesar cipher. As you can tell from the name, it was used by the Roman general.
The cipher is pretty simple. Letters are shifted a set number of places. So, for example, if "A" is equal to "M," then "B" is equal to "N," "C" is equal to "O," and so on and so forth. So, the word "cab" would end up reading "omn." Of course, Karim didn't just a single iteration; instead, it looks like he may have used five iterations, where the a word is shifted, then the result is shifted, which is also shifted, etc. five times.
The problem with the above approach to encrypting data is that modern computers can be used to crack the problem in a very efficient manner. (That's why modern encryption was created.)
Related Articles and Sites:http://www.theregister.co.uk/2011/03/22/ba_jihadist_trial_sentencing/http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/8391162/British-Airways-bomber-jailed-for-30-years.html
A computer used to check-in patients at the Eisenhower Medical Center in Rancho Mirage was stolen from the open lobby area, resulting in a data breach affecting over 500,000 people. The computer was not protected with drive encryption like AlertBoot, a calamitous decision. Based on what I'm reading here, it's hard to believe that this computer was used just for checking-in patients, or that no one thought of using encryption software on it: the records go all the way back to the 1980s. We're talking at least 20 years, at most 30 years. You know how many hardware revolutions we've had since?
A computer used to check-in patients at the Eisenhower Medical Center in Rancho Mirage was stolen from the open lobby area, resulting in a data breach affecting over 500,000 people. The computer was not protected with drive encryption like AlertBoot, a calamitous decision.
Based on what I'm reading here, it's hard to believe that this computer was used just for checking-in patients, or that no one thought of using encryption software on it: the records go all the way back to the 1980s. We're talking at least 20 years, at most 30 years. You know how many hardware revolutions we've had since?
According to mydesert.com, breach notification letters were sent to patients. In it, patients were informed that the breach occurred on March 11. The computer that was stolen contained a backup file with information on 514, 330 patients that dated as far back as the 1980s (early 1980s? Late 1980s? ). Thankfully, the file only included patient names, ages, dates of birth, the last four digits of SSNs, and the hospital medical record number. Certainly beats having your full SSN exposed. On the other hand, who knows what could be done with such information? I've speculated in the past of using an extensive database to "play the odds."
According to mydesert.com, breach notification letters were sent to patients. In it, patients were informed that the breach occurred on March 11. The computer that was stolen contained a backup file with information on 514, 330 patients that dated as far back as the 1980s (early 1980s? Late 1980s? ).
Thankfully, the file only included patient names, ages, dates of birth, the last four digits of SSNs, and the hospital medical record number. Certainly beats having your full SSN exposed. On the other hand, who knows what could be done with such information? I've speculated in the past of using an extensive database to "play the odds."
This is what I had to say about taking advantage of a large database with supposedly non-sensitive information: Described in John Allen Paulos's Innumeracy, the stock market scam is a game of probability (some would say certainty). You cull 10,000 names and addresses from the phone book. For half of them, you send a letter claiming the stock market is going to go up next week; for the other half that it’s going to go down. Next week, you target the 5000 names for whom your "prediction" was correct. Half of them get a second letter saying the market is going to go up; the other half, down. Rinse and repeat as needed. At the end of this process, you will get a handful of believers that think you’re the best trader since Warren Buffet and George Soros combined. You tell them they won’t get the final letter unless you get $10,000 from each one. With the impressive track record, investors send you money (they don’t know how many are in on this thing), get a second mortgage to invest its proceeds, and wait with bated breath. You disappear. Time generally tends to be on the criminal’s side, if you think about it. Of course, you can't pull off the above example in this case. We're talking about medical info, not financial data. On the other hand, a variation of it could be performed. For example: Instead of money, the criminals ask for SSNs, claiming that they must have made an error when entering it into their database. They provide the last four digits as proof, leading some (or many) to believe, "hey, they must have made a typo somewhere -- those certainly are the last 4 digits to my SSN!" The criminals draft up a letter on counterfeit hospital letterhead to make it seem official. The address in the return envelope and the convenient "correct my SSN form" (counterfeit as well) shows a PO Box in the Eisenhower Medical Center area. One could even include a toll-free number to call if people have any questions -- a number that rings the criminals' phones! What are the chances? Pretty slim, I'll admit, especially when you consider addresses, phone numbers, e-mail addresses, etc. were not included. If the thieves are smart, they'd have to somehow take public data and match it up to the name and hope for the best. But, look at the incentives for criminals: at the end of the scam, they'd have full SSNs, names, and dates of birth. As far as I know, this is all you need to pull off medical fraud. And, seeing how you're dealing with over half-a-million people, even a turnaround of 2% means 10,000 records. That's a bonanza. My point is this: you can't, as an organization or victim, rest easy just because a stolen database doesn't strictly contain sensitive information.
This is what I had to say about taking advantage of a large database with supposedly non-sensitive information:
Described in John Allen Paulos's Innumeracy, the stock market scam is a game of probability (some would say certainty). You cull 10,000 names and addresses from the phone book. For half of them, you send a letter claiming the stock market is going to go up next week; for the other half that it’s going to go down. Next week, you target the 5000 names for whom your "prediction" was correct. Half of them get a second letter saying the market is going to go up; the other half, down. Rinse and repeat as needed. At the end of this process, you will get a handful of believers that think you’re the best trader since Warren Buffet and George Soros combined. You tell them they won’t get the final letter unless you get $10,000 from each one. With the impressive track record, investors send you money (they don’t know how many are in on this thing), get a second mortgage to invest its proceeds, and wait with bated breath. You disappear. Time generally tends to be on the criminal’s side, if you think about it.
Described in John Allen Paulos's Innumeracy, the stock market scam is a game of probability (some would say certainty). You cull 10,000 names and addresses from the phone book. For half of them, you send a letter claiming the stock market is going to go up next week; for the other half that it’s going to go down. Next week, you target the 5000 names for whom your "prediction" was correct. Half of them get a second letter saying the market is going to go up; the other half, down. Rinse and repeat as needed.
At the end of this process, you will get a handful of believers that think you’re the best trader since Warren Buffet and George Soros combined. You tell them they won’t get the final letter unless you get $10,000 from each one. With the impressive track record, investors send you money (they don’t know how many are in on this thing), get a second mortgage to invest its proceeds, and wait with bated breath. You disappear. Time generally tends to be on the criminal’s side, if you think about it.
Of course, you can't pull off the above example in this case. We're talking about medical info, not financial data. On the other hand, a variation of it could be performed. For example:
One could even include a toll-free number to call if people have any questions -- a number that rings the criminals' phones!
What are the chances? Pretty slim, I'll admit, especially when you consider addresses, phone numbers, e-mail addresses, etc. were not included. If the thieves are smart, they'd have to somehow take public data and match it up to the name and hope for the best.
But, look at the incentives for criminals: at the end of the scam, they'd have full SSNs, names, and dates of birth. As far as I know, this is all you need to pull off medical fraud. And, seeing how you're dealing with over half-a-million people, even a turnaround of 2% means 10,000 records. That's a bonanza.
My point is this: you can't, as an organization or victim, rest easy just because a stolen database doesn't strictly contain sensitive information.
The computer that was stolen from Eisenhower's premises should have been encrypted. Certainly, the backup file containing over 20 years' worth of patient information would have made it necessary. But that's not the only reason. The last time I checked, a patient's name alone is regarded as protected health information, PHI. (I'm not a lawyer, by the way. I could be off on this, although I'm pretty sure I'm not.) The hospital used the computer to check-in patients? They should have had an interest in using some kind of HIPAA-compliant cryptographic tool to protect the contents of the computer. After all, traditional tools like locking the computer wouldn't have been available in an open lobby.
The computer that was stolen from Eisenhower's premises should have been encrypted. Certainly, the backup file containing over 20 years' worth of patient information would have made it necessary. But that's not the only reason. The last time I checked, a patient's name alone is regarded as protected health information, PHI. (I'm not a lawyer, by the way. I could be off on this, although I'm pretty sure I'm not.)
The hospital used the computer to check-in patients? They should have had an interest in using some kind of HIPAA-compliant cryptographic tool to protect the contents of the computer. After all, traditional tools like locking the computer wouldn't have been available in an open lobby.
Related Articles and Sites:http://www.mydesert.com/article/20110330/NEWS01/103300308/1016/FBI-state-agents-search-Rancho-Mirage-plastic-surgery-center/Eisenhower-Medical-Center-Computer-patient-info-stolen
You could do worse, much worse, than full disk encryption when it comes to keeping data on hard disk drives secure (password-protection comes to mind). On the "better than encryption" stack, nothing beats destroying disks if you really, really, REALLY want to ensure that no one gets to the data (including yourself, the owner). Which is why the UK's Home Office has shredded 500 hard drives and 100 backup tapes that were used in the now-scrapped National Identity Register (or at least, it should be the reason, with photo ops being the cherry on top). According to networkworld.com, the Home Office was quoted as saying "the drives were 'magnetically wiped and shredded. They will soon be incinerated in an environmentally friendly waste-for-energy process.'" A little overkill, it seems like: what's the use of wiping the data if the disks are going to be shredded and incinerated?
You could do worse, much worse, than full disk encryption when it comes to keeping data on hard disk drives secure (password-protection comes to mind). On the "better than encryption" stack, nothing beats destroying disks if you really, really, REALLY want to ensure that no one gets to the data (including yourself, the owner).
Which is why the UK's Home Office has shredded 500 hard drives and 100 backup tapes that were used in the now-scrapped National Identity Register (or at least, it should be the reason, with photo ops being the cherry on top). According to networkworld.com, the Home Office was quoted as saying "the drives were 'magnetically wiped and shredded. They will soon be incinerated in an environmentally friendly waste-for-energy process.'"
A little overkill, it seems like: what's the use of wiping the data if the disks are going to be shredded and incinerated?
Actually, it's not overkill. It might be in this particular instance, since it's a high-profile case: you can bet people are on hand to witness the drives' successful destruction. When it comes to your average disk destruction event, though, what generally happens is this: you hand over your to-be-destroyed disks to some contractor; the contractor does the deed, then gives you a certificate of destruction; and everyone goes home happy. Again, to emphasize the point, generally that's what happens. What sometimes also happens (a pretty rare event) is that someone with the contracting firm misappropriates some of those hard drives and sells them on the used market. That's a data breach that's outside one's control, no matter how you slice it. So, what to do? The answer is obvious: wipe the data before handing it over to the contractor. Or, you can also send someone from your office to essentially witness the destruction from beginning to end (that's some well-spent minimum wage. Yeah, I'm being sarcastic). I should point out at this point that data security practices like destruction, while absolute in its security, are only applicable to a device's end-of-life stage: prior to that you're still susceptible to a data breach, so encryption software like AlertBoot is necessary. And added benefit is that you could in theory (and, I have to say, in practice) just hand over the hard disk drives to the contractor without fear of repercussions in the future, no matter what may happen, ensuring something doesn't go awry at a critical point in data management.
Actually, it's not overkill. It might be in this particular instance, since it's a high-profile case: you can bet people are on hand to witness the drives' successful destruction.
When it comes to your average disk destruction event, though, what generally happens is this: you hand over your to-be-destroyed disks to some contractor; the contractor does the deed, then gives you a certificate of destruction; and everyone goes home happy. Again, to emphasize the point, generally that's what happens.
What sometimes also happens (a pretty rare event) is that someone with the contracting firm misappropriates some of those hard drives and sells them on the used market. That's a data breach that's outside one's control, no matter how you slice it.
So, what to do? The answer is obvious: wipe the data before handing it over to the contractor. Or, you can also send someone from your office to essentially witness the destruction from beginning to end (that's some well-spent minimum wage. Yeah, I'm being sarcastic).
I should point out at this point that data security practices like destruction, while absolute in its security, are only applicable to a device's end-of-life stage: prior to that you're still susceptible to a data breach, so encryption software like AlertBoot is necessary.
And added benefit is that you could in theory (and, I have to say, in practice) just hand over the hard disk drives to the contractor without fear of repercussions in the future, no matter what may happen, ensuring something doesn't go awry at a critical point in data management.
Related Articles and Sites:http://www.networkworld.com/community/blog/destroyed-hard-drives-kills-uk-national-id-ca
BP, the UK oil company infamous for the Deepwater Horizon accident in the Mexican Gulf, has given "it" to Gulf Coast residents again: a laptop containing SSNs of thousands of oil spill victims has been lost. The machine was password-protected, but it did not feature data encryption software such as AlertBoot.Update (30 MAR 2011): The Associated Press mentions that the laptop held a spreadsheet with sensitive information.
An employee lost the unencrypted laptop; it is not known how, since BP is declining to reveal that information because of an ongoing investigation. There are rumors that it was lost during a routine business travel (per computerworld.com. It wouldn't surprise me. A lot of laptops go missing at airports. A good percentage of them are stolen. Sometimes there's a mix up). This latest corporate data breach incident will affect 13,000 people, individuals who have filed claims with the energy giant per the deepwater oil drilling fiasco from last year. The lost laptop contained names, SSNs, addresses, phone numbers, and dates of birth. I've got to wonder why SSNs were collected. I'm sure there must have been a good reason for it, though (maybe for reporting to the IRS?) seeing how many lawyers the company must have hired in the last year.
An employee lost the unencrypted laptop; it is not known how, since BP is declining to reveal that information because of an ongoing investigation. There are rumors that it was lost during a routine business travel (per computerworld.com. It wouldn't surprise me. A lot of laptops go missing at airports. A good percentage of them are stolen. Sometimes there's a mix up).
This latest corporate data breach incident will affect 13,000 people, individuals who have filed claims with the energy giant per the deepwater oil drilling fiasco from last year. The lost laptop contained names, SSNs, addresses, phone numbers, and dates of birth. I've got to wonder why SSNs were collected. I'm sure there must have been a good reason for it, though (maybe for reporting to the IRS?) seeing how many lawyers the company must have hired in the last year.
BP noted that the laptop was password-protected but not encrypted. As you can read from the preceding link, password-protection doesn't even come to close what encryption can do when it comes to data protection. Indeed, when you think about how easy it is to overcome password-protection, it makes you wonder: is it protecting the computer from you, the user? 'Cause it's certainly not protecting the data from laptop thieves, at least not from the ones that are stealing laptops for the data in them. BP is a global company. It must have secrets that it guards jealously, such as projections and estimates regarding undrilled oil fields. You can bet that this information, and research associated with this information, is labeled as "classified" and "secret," and I'm willing to bet that it's stored in encrypted form. Why wouldn't they do the same for people's information? I mean, it's not as if they're not familiar with the concept of whole encryption software (this is assumption on my part, but let's face it, no way a Fortune 500 company is unaware of the importance and use of encryption). It's a shame for so many reasons. First, had full laptop encryption been used, the information on 13,000 people would be secure--not ifs or buts. Second, BP would have been granted safe harbor from having to take this second PR fiasco: many of the states surrounding the Gulf of Mexico grant protection if personal information is lost but encrypted. Louisiana data breach law. I've read heard that LA doesn't actually provide safe harbor for encrypted, data, but a search for "encryption" shows otherwise Texas data breach law Mississippi data breach law Florida also has a law on its books. Alabama is the only Gulf state that doesn't have a data breach notification law, as far as I know (as always, I'm not a lawyer).
BP noted that the laptop was password-protected but not encrypted. As you can read from the preceding link, password-protection doesn't even come to close what encryption can do when it comes to data protection.
Indeed, when you think about how easy it is to overcome password-protection, it makes you wonder: is it protecting the computer from you, the user? 'Cause it's certainly not protecting the data from laptop thieves, at least not from the ones that are stealing laptops for the data in them.
BP is a global company. It must have secrets that it guards jealously, such as projections and estimates regarding undrilled oil fields. You can bet that this information, and research associated with this information, is labeled as "classified" and "secret," and I'm willing to bet that it's stored in encrypted form.
Why wouldn't they do the same for people's information? I mean, it's not as if they're not familiar with the concept of whole encryption software (this is assumption on my part, but let's face it, no way a Fortune 500 company is unaware of the importance and use of encryption).
It's a shame for so many reasons. First, had full laptop encryption been used, the information on 13,000 people would be secure--not ifs or buts. Second, BP would have been granted safe harbor from having to take this second PR fiasco: many of the states surrounding the Gulf of Mexico grant protection if personal information is lost but encrypted.
Florida also has a law on its books. Alabama is the only Gulf state that doesn't have a data breach notification law, as far as I know (as always, I'm not a lawyer).
Related Articles and Sites:http://www.foxnews.com/us/2011/03/29/bp-loses-laptop-containing-claimants-personal-information/http://www.cnn.com/2011/US/03/29/bp.lost.laptop/http://www.zdnet.co.uk/news/security-threats/2011/03/30/bp-loses-data-from-deepwater-horizon-claimants-40092333/?s_cid=938